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[57] ABSTRACT 

The present invention, generally speaking, provides a fire- 
wall that achieves maximum network security and maxi- 
mum user convenience. The firewall employs "envoys" that 
exhibit the security robustness of prior- art proxies and the 
transparency and ease-of-use of prior-art packet filters, com- 
bining the best of both worlds. No traffic can pass through 
the firewall unless the firewall has established an envoy for 
that traffic. Both connection-oriented (e.g., TCP) and con- 
nectionless (e.g., UDP-based) services may be handled 
using envoys. Establishment of an envoy may be subjected 
to a myriad of tests to "qualify" the user, the requested 
communication, or both. Therefore, a high level of security 
may be achieved. Hie usual added burden of prior-art proxy 
systems is avoided in such a way as to achieve fall 
transparency -the user can use standard applications and need 
not even know of the existence of the firewall. To achieve 
full transparency, the firewall is configured as two or more 
sets of virtual hosts. The firewall is, therefore, "multi- 
homed " each home being independently configurable. One 
set of hosts responds to addresses on a first network interface 
of the firewall. Another set of hosts responds to addresses on 
a second network interface of the firewall. In one aspect, 
programmable transparency is achieved by establishing 
DNS mappings between remote hosts to be accessed through 
one of the network interfaces and respective virtual hosts on 
that interface. In another aspect, automatic transparency may 
be achieved using code for dynamically mapping remote 
hosts to virtual hosts in accordance with a technique referred 
to herein as dynamic DNS, or DDNS. 

21 Claims, 9 Drawing Sheets 
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FIREWALL PROVIDING ENHANCED 
NETWORK SECURITY AND USER 
TRANSPARENCY 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to computer network secu- 
rity and more particularly to firewalls, i.e., a combination of 
computer hardware and software that selectively allows 
"acceptable" computer transmissions to pass through it and 
disallows other non- acceptable computer transmissions. 

2. State of the Art 

In the space of just a few years, the Internet — because it 
provides access to information, and the ability to publish 
information, in revolutionary ways — has emerged from rela- 
tive obscurity to international prominence. Whereas in gen- 
eral an internet is a network of networks, the Internet is a 
global collection of interconnected local, mid-level, and 
wide-area networks that use the Internet Protocol (IP) as the 
network layer protocol. Whereas the Internet embraces 
many local- and wide- are a networks, a given local- or 
wide-area network may or may not form part of the Internet. 
For purposes of the present specification, a "wide-area 
network" (WAN) is a network that links at least two LANs 
over a wide geographical area via one or more dedicated 
connections. The public switched telephone network is an 
example of a wide -area network. A "local-area network" 
(LAN) is a network that takes advantage of the proximity of 
computers to typically offer relatively efficient, higher speed 
communications than wide -are a networks. 

In addition, a network may use the same underlying 
technologies as the Internet. Such a network is referred to 
herein as an "Intranet," an internal network based on Internet 
standards. Because the Internet has become the most per- 
vasive and successful open networking standard, basing 
internal networks on the same standard is very attractive 
economically. Corporate Intranets have become a strong 
driving force in the marketplace of network products and 
services. 

The present invention is directed primarily toward the 
connection of an Intranet to the Internet and the connection 
of intranets to other intranets, and any network connection 
where security is an issue. 

As the Internet and its underlying technologies have 
become increasingly familiar, attention has become focused 
on Internet security and computer network security in gen- 
eral. With unprecedented access to information has also 
come unprecedented opportunities to gain unauthorized 
access to data, change data, destroy data, make unauthorized 
use of computer resources, interfere with the intended use of 
computer resources, etc. As experience has shown, the 
frontier of cyberspace has its share of scofflaws, resulting in 
increased efforts to protect the data, resources, and reputa- 
tions of those embracing intranets and the Internet. 

Firewalls are intended to shield data and resources from 
the potential ravages of computer network intruders. In 
essence, a firewall functions as a mechanism which monitors 
and controls the flow of data between two networks. All 
communications, e.g., data packets, which flow between the 
networks in either direction must pass through the firewall; 
otherwise, security is circumvented. The firewall selectively 
permits the communications to pass from one network to the 
other, to provide bidirectional security. 

Ideally, a firewall would be able to prevent any and all 
security breaches and attacks. Although absolute security is 
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indeed a goal to be sought after, due to many variables (e.g., 
physical intrusion into the physical plant) it may be difficult 
to achieve. However, in many instances, it is of equal if not 
greater importance to be alerted to an attack so that measures 

5 may be taken to thwart the attack or render it harmless, and 
to avoid future attacks of the same kind. Hence a firewall, in 
addition to security, should provide timely information that 
enables attacks to be detected. 

Firewalls have typically relied on some combination of 

10 two techniques affording network protection: packet filter- 
ing and proxy services. 

Packet filtering is the action a firewall takes to selectively 
control the flow of data to and from a network. Packet filters 
allow or block packets, usually while routing them from one 

J5 network to another (often from the Internet to an internal 
network, and vice versa). To accomplish packet filtering, a 
network administrator establishes a set of rules that specify 
what types of packets (e.g., those to or from a particular IP 
address or port) are to be allowed to pass and what types are 

2Q to be blocked. Packet filtering may occur in a router, in a 
bridge, or on an individual host computer. 

Packet filters are typically configured in a "default permit 
stance"; i.e., that which is not expressly prohibited is per- 
mitted. In order for a packet filter to prohibit potentially 

25 harmful traffic, it must know what the constituent packets of 
that traffic look like. However, it is virtually impossible to 
catalogue all the various types of potentially harmful packets 
and to distinguish them from benign packet traffic . The 
filtering function required to do so is too complex. Hence, 

30 while most packet filters may be effective in dealing with the 
most common types of network security threats, this meth- 
odology presents many chinks that an experienced hacker 
may exploit. The level of security afforded by packet 
filtering, therefore, leaves much to be desired. 

3S Recently, a further network security technique termed 
"stateful inspection" has emerged. Stateful inspection per- 
forms packet filtering not on the basis of a single packet, but 
on the basis of some historical window of packets on the 
same port. Although stateful inspection may enhance the 

40 level of security achievable using packet filtering, it is as yet 
relatively unproven. Furthermore, although an historical 
window of packets may enable the filter to more accurately 
identify harmful packets, the filter must still know what it is 
looking for. Building a filter with sufficient intelligence to 

45 deal with the almost infinite variety of possible packets and 
packet sequences is liable to prove an exceedingly difficult 
task. 

The other principal methodology used in present-day 
firewalls is proxies. In order to describe prior-art proxy- 

50 based firewalls, some further definitions are required. A 
"node" is an entity that participates in network communi- 
cations. A subnetwork is a portion of a network, or a 
physically independent network, that may share network 
addresses with other portions of the network. An interme- 

55 diate system is a node that is connected to more than one 
subnetwork and that has the role of forwarding data from 
one subnetwork to the other (i.e., a "router"). 

A proxy is a program, running on an intermediate system, 
that deals with servers (e.g., Web servers, FTP servers, etc.) 

60 on behalf of clients. Clients, e.g. computer applications 
which are attempting to communicate with a network that is 
protected by a firewall, send requests for connections to 
proxy-based intermediate systems. Proxy-based intermedi- 
ate systems relay approved client requests to target servers 

65 and relay answers back to cli ents. 

^roxiesrequire either custom software (i.e^proxy-aware_ 
applications) orc ustdm user procjdu^es.in.order.to^st ablish ; 
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a connection. Using custom software for proxying presents may be conveyed locally using a hardware token, for 
several problems. Appropriate custom client software is example. To gain access, a hacker must have access to a 
often available only for certain platforms, and the software device (e.g., a pager, a token etc.) used to receive the 
available for a particular platform may not be the software out-of-band information. Pager beep-back or similar authen- 
that users prefer. Furthermore, using cu stom cl ient software, s tication techniques may be especially advantageous in that, 
rUsersmusTperform extra manual configuration to direct the) if a hacker attempts unauthorized access to a machine while 
^software to contact the proxy on the interme,diate system. ^ the authorized user is n possession of the device, the user 
^Vith the custom procedure approach, the user tells the client^ will be alerted by the device unexpectedly receiving the 
^to^connecUoJhe proxy and then Jells the^prox y whj ch.host access key. The key is unique to each transmission, such that 
QcTconnect to.^TypicallyTthe user will first enter the name of 10 even if a hacker is able to obtain it, it cannot be used at other 
a firewall^ that the user wishes to connect through. The times or places or with respect to any other connection, 
firewall will then prompt the user for the name of the remote Using envoys, the added burden associated with prior-art 
host the user wishes to connect to. Although this procedure proxy systems is avoided so as to achieve full transparency- 
is relatively simple in the case of a connection that traverses me user ^ use standard applications and need not even 
only a single firewall, as network systems grow in 15 know of the existence of the firewall. To achieve full 
complexity, a connection may traverse several firewalls. transparency, the firewall is configured as two sets of virtual 
Establishing a proxied connection in such a situation starts hosts. The firewall is, therefore, "multi-homed," each home 
to become a confusing maze, and a significant burden to the being independently configurable. One set of hosts responds 
user, since the user must know the route the connection is to t0 addresses on a first network interface of the firewall. 
ta ^ e - 20 Another set of hosts responds to addresses on a second 

Furthermore, since proxies must typically prompt the user network interface of the firewall. In accordance with one 

or the client software for a destination using a specific aspect of the invention, programmable transparency is 

protocol, they are protocol-specific, Separate proxies are achieved by establishing DNS mappings between remote 

therefore required for each protocol that is to be used. hosts to be accessed through one of the network interfaces 

Another problematic aspect of conventional firewall 25 and respective virtual hosts on that interface. In accordance 
arrangements, from a security perspective, is the common another aspect of the invention, automatic transparency 
practice of combining a firewall with other packages on the may be achieved using code for dynamically mapping 
same computing system. The firewall package itself may be remote hosts to virtual hosts in accordance with a technique 
a combination of applications. For example, one well-known referred to herein as dynamic DNS, or DDNS. 
firewall is a combination Web server and firewall. In other 30 The firewall may have more than two network interfaces, 
cases, unrelated services may be hosted on the same com- each with its own set of virtual hosts. Multiple firewalls may 
puting platform used for the firewall. Such services may be used to isolate multiple network layers. The full trans- 
include e-mail, Web servers, databases, etc. The provision of parency attribute of a single firewall system remains 
applications in addition to the firewall on a computing unchanged in a multi-layered system: a user may, if 
system provides a path through which a hacker can poten- 35 authorized, access a remote host multiple network layers 
tially get around the security provided by the firewall. removed, without knowing of the existence of any of the 
Combining other applications on the same machine as a multiple firewalls in the system. 

firewall also has the result of allowing a greater number of Furthermore, the firewalls may be configured to also 

users access to the machine. The likelihood then increases transparently perform any of various kinds of channel 

that a user will, deliberately or inadvertently, cause a secu- 40 processing, including various types of encryption and 

rity breach. decryption, compression and decompression, etc. In this 

There remains a need for a firewall that achieves both way, virtual private networks may be established whereby 

maximum security and maximum user convenience, such two remote machines communicate securely, regardless of 

that the steps required to establish a connection are trans- 45 the degree of proximity or separation, in the same manner as 

parent to the user. The present invention addresses this need. if the machines were on the same local area network. 

The problem of Internet address scarcity may also be 
addressed using multi-layer network systems of the type 
The present invention, generally speaking, provides a described. Whereas addresses on both sides of a single . 
firewall that achieves maximum network security and maxi- 50 firewall must be unique in order to avoid routing errors, 
mum user convenience. The firewall employs "envoys" that network segments separated by multiple firewalls may reuse 
exhibit the security robustness of prior- art proxies and the the same addresses, 
transparency and ease-of-use of prior-art packet filters, com- 
bining the best of both worlds. No traffic can pass through BRIEF DESCRIPTION OF THE DRAWING 
the firewall unless the firewall has established an .envoy for 55 ^ t invcntion may be fart|lcr undcrstood from lhc 
that traffic. Both connection -oriented (e.g., TCP) and con- folb ^ - n conjunction ^ lhe ded 
necuonless (e^g. UDP-based) services may be handkd drawm , n me ^ 
using envoys. Establishment of an envoy may be subjected „„ \ . , , , 

to a myriad of tests to "qualify" the user, the requested FIG *. 1 15 a bl ° ck diagram of a multi-layered computer 

communication, or both. Therefore, a high level of security 60 enter P™e network m which the present invention may be 

may be achieved. used; 

Security may be further enhanced using out-of-band FIG - 2 fe a block diagram of a network similar to the 

authentication. In this approach, a communication channel, network of FIG. 1 but in which a two-sided firewall has been 

or medium, other than the one over which the network replaced by a three-sided firewall; 

communication is to take place, is used to transmit or convey 65 FIG. 3 is a block diagram showing in greater detail a 

an access key. The key may be transmitted from a remote special-purpose virtual host used for configuration of a 

location (e.g, using a pager or other transmission device) or firewall; 
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FIG. 4 is a block diagram of a load-sharing firewall; 

FIG. 5 is a block diagram of one embodiment of the 
firewall of the present invention; 

FIG, 6 is a block diagram illustrating the manner in which 
the present firewall handles connection requests; 



DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 



The following terms are used in the present specification 
in accordance with the following definitions: 



Concept/Feature 
Mulli-boming 

Programmable transparency 
Envoy 

Multi-layering 

Configurator 

N- dimensional firewall 
Out-of-band authentication 

Channel processing 

virtual private network 

DDNS 

Load sharing 

Address reuse 
Programmable 

transparency — connectionless protocols 



Definition 



Multiple virtual hosts running on a 
single physical machine, using multiple 
network addresses on a single network 
interface. A virtual host assumes the 
identity of one of multipe, 
independently-configurable "homes" to 
handle a particular connection at a 
particular time. 

The ability to establish a connection 
through a firewall without requiring 
that the user be aware of the firewall. 
An intervening program that functions 
as a transparent applications gateway. 
The use of programmable transparency 
to achieve end- to- end connection 
across an arbitrary number of networks 
that are connected by multiple multi- 
homing firewalls. 
Code that provides a Web- 1 ike 
interface, accessible remotely through 
a secure port, for configuring a 
firewall. 

A firewall having N" network interfaces 
and configured to provide multiple 
virtual hosts for each interface. 
In deciding whether to allow or 
disallow a connection by a user, the 
use of information communicated to 
the user through means other than the 
desired connection. 
Processing performed on data flowing 
through a communications channel to 
enhance some attribute of the data, 
such as security, reproduction quality, 
content, etc. 

An internet in which envoys 
(intervening programs) are used to 
perform encrypted communications 
from one secure network to another 
through a none-secure network. 
The dynamic assignment of network 
addresses to virtual hosts on a time- 
limited basis. 

The use of DDNS to assign a network 
address for a particular connection to a 
virtual host on one of multiple 
machines based on the load of the 
machines. 

The use of the same network address 
within different networks separated by 
firewalls. 

The use of envoys for connectionless 
(e.g., UDP) communications in which a 
time-out value is used to achieve the 
equivalent of a connection. 



FIG. 7 is an example of a portion of the master configu- 
ration file of FIG. 5; 

60 

FIG. 8 is a block diagram illustrating in greater detail the 
structure of the present firewall; and 

FIG. 9 is a block diagram of a combination firewall that 65 
allows the bulk of the entire Internet address space to be 
used on both sides of the firewall. 



The present firewall provides a choke point used to 
control the flow of data between two networks. One of the 
two networks may be the Internet, or both of the two 
networks may be intranets- the nature and identity of the two 
networks is immaterial. The important point is that all traffic 
between the two networks must pass through a single, 
narrow point of controlled access. A firewall therefore brings 
a great deal of leverage to bear on the problem of network 
security, allowing security measures to be concentrated on 
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this controlled access point. To avoid possible security 
compromises, the firewall should ideally run on a dedicated 
computer, i.e. one which does not have any other user- 
accessible programs running on it that could provide a path 
via which communications could circumvent the firewall. S 

One environment in which firewalls are particularly desir- 
able is in enterprise network systems, in which a number of 
individual networks that may be respectively associated with 
different departments or divisions of a company, for 
example, are connected with one another. In such an 10 
environment, firewalls can be employed to restrict access to 
the individual networks. While not limited to this particular 
situation, the present invention will be, described hereinafter 
in such a context, to facilitate an understanding of its 
underlying principles. 15 

Referring now to FIG. 1, assume that the accounting 
departments of two remote corporate sites are networked, 
and that these two different accounting networks are to be 
connected via the Internet or a similar non-secure, wide-area 
network. For purposes of illustration, a first site 101 having 20 
a first accounting network 103 might be located in 
California, and a second site 151 having a second accounting 
network 153 might be located in Japan. Within each site, 
each accounting network may be part of a larger corporate 
network (109, 159). Precautions are required to safeguard 25 
sensitive accounting data such that it cannot be accessed 
over the general corporate network. A first firewall (105, 
155) is used for this purpose. The first firewall is interposed 
between the accounting network and the general corporate 
network. 30 

A convenient way to place the two accounting networks 
in communication with each other is through the Internet 
120, which comprises another layer of a multi-layer net- 
work. As compared to other forms of connection, the Inter- 35 
net may be more economical, more easily accessible, and 
more robust. Connecting to the Internet, however, requires 
that access between the Internet and the respective sites be 
strictly controlled. A second firewall (107, 157) is used at 
each site for this purpose. 4Q 

In the following description, the present firewall is illus- 
trated most often as a rectangle having along each of two 
edges thereof a network connection and a row of boxes 
representing multiple "homes," corresponding to respective 
virtual hosts, A virtal host along one edge may be used to 45 
initiate a connection only in response to a request from the 
network connection that enters the firewall at that edge. The 
connection, once established, is fully bi-directional, with the 
same virtual host passing data between the originating 
network connection and the network connection at the 50 
opposite edge of the firewall. 

More generally, the firewall may be N-sided, having N 
network connections and being illustrated as an N-sided 
polygon. Any virtual host may establish a connection 
between any pair of network connections so long as the 55 
connection originated from the network connection adjoin- 
ing that virtual host. Again, the connection, once established, 
is fully bidirectional. 

The firewalls 105, 107, 155 and 157 are each of a 
construction to be more particularly described hereinafter. 60 
Each firewall is multi-homing. This means that each firewall 
is configured as multiple virtual hosts running on a physical 
computer. In the example of FIG. 1, a firewall is depicted as 
a single computer having multiple virtual hosts on each of its 
two interfaces. In practice, the multiple virtual hosts can be 65 
configured in this manner or, alternatively, implemented in 
any number of computers, as explained in detail hereinafter. 
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Each virtual host corresponds to a "home", i.e. a site via 
which a connection is made between the two networks on 
either side of the firewall. At different times, the same virtual 
host might correspond to different homes associated with 
different connections. At any given lime, however, a virtual 
host represents one home. In the following description of the 
particular example illustrated in FIG. 1, therefore, homes 
and virtual hosts are described as being synonymous with 
one another. Each virtual host is fully independently con- 
figurable and unique from each of the other virtual hosts. 
Considering the firewall 105 as being exemplary of each of 
the firewalls 105, 107, 155 and 157, one set of hosts 105a 
responds to addresses on a first network interface of the 
firewall. Another set of hosts 1056 responds to addresses on 
a second network interface of the firewall. 

Normally, in accordance with the prior art, connecting 
from one computer to another remote computer along a 
route traversing one or more firewalls would require the user 
to configure a prior-art proxy for each firewall to be tra- 
versed. In accordance with one aspect of the invention, 
however, programmable transparency is achieved by estab- 
lishing DNS mappings between remote hosts to be accessed 
through one of the network interfaces and respective virtual 
hosts on that interface. 

DNS is a distributed database system that translates host 
names to IP addresses and IP addresses to host names (e.g, 
it might translate host name omer.odyssey.com to 
129,186.424.43). The information required to perform such 
translations is stored in DNS tables. Any program that uses 
host names can be a DNS client. DNS is designed to 
translate and forward queries and responses between clients 
and servers. 

When a client needs a particular piece of information 
(e.g., the IP address of homer.odyssey.com), it asks its local 
DNS server for that information. The local DNS server first 
examines its own local memory, such as a cache, to see if it 
already knows the answer to the client's query. If not, the 
local DNS server asks other DNS servers, in turn, to 
discover the answer to the client's query. When the local 
DNS server gets the answer (or decides that for some reason 
it cannot), it stores any information it received and answers 
the client. For example, to find the IP address for 
homer.odyssey.com, the local DNS server first asks a public 
root name server which machines are name servers for the 
corn domain. It then asks one of those "com" name servers 
which machines are name servers for the odyssey.com 
domain, and then it asks one of those name servers for the 
IP address of homer.odyssey.com. 

This asking and answering is all transparent to the client. 
As far as the client is concerned, it has communicated only 
with the local server. It does not know or care that the local 
server may have contacted several other servers in the 
process of answering the original question. 

Referring still to FIG. 1, the firewall 105 is associated 
with a respective domain name server 115. Each of the other 
firewalls 107, 155, 157 is also associated with a respective 
domain name server 117, 165, 167. The domain name server 
may be a dedicated virtual host on the same physical 
machine as the firewall. Alternatively, the domain name 
server may be a separate machine. A domain name server is 
provided for each layer in the multi-layer network. 

In operation, assume now that a client C on the accounting 
network 103 is to connect to a host D on the accounting 
network 153 on a repeated basis. The DNS tables of each of 
the firewalls may then be programmed so as to enable such 
a connection to be established transparently, without the user 
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so much as being aware of any of the firewalls 105, 107, 155, 
157 — hence the term programmable transparency. Both for- 
ward and reverse table entries are made in the domain name 
servers. Within a domain name server 115, for example, D 
(the name of the remote host, e.g., machl.XYZcorp.com) 5 
might be mapped to a virtual host having a network address 
that concludes with the digits 1.1, and vice versa. Within the 
domain name server 117, D might be mapped to 5.4, within 
the domain name server 167, D might be mapped to 3.22, 
and within the domain name server 165, D might be mapped 
to 4.5, where each of the foregoing addresses has been 
randomly chosen simply for purposes of illustration. Finally, 
within a conventional DNS server (not shown), D is mapped 
to the "real" network address (e.g, the IP address) of D, say, 
55.2. 

When client C tries to initiate a connection to host D using 
the name of D, DNS operates in the usual manner to 
propagate a name request to successive levels of the network 
until D is found. The DNS server for D returns the network 
address of D to a virtual host on the firewall 155. The virtual 
host returns its network address to the virtual host on the 
firewall 157 from which it received the lookup request, and 
so on, until a virtual host on the firewall 105 returns its 
network address (instead of the network address of D) to the 
client C. This activity is all transparent to the user. 25 

Note that at each network level, the virtual host handling 
a connection is indistinguishable to the preceding virtual (or 
real) host from D itself. Thus, to the client C, the virtual host 
1 .1 is D, to the virtual host 1.1, the virtual host 5.4 is D, etc. 
There is no limit to the number of network layers that may 30 
be traversed in this fashion, or any difference in operation as 
the number of network layers increases. This multi-layering 
capability allows two remote machines to communicate with 
the same ease as if the machines were on the same local area 
network, regardless of the degree of proximity or separation. 35 

Programmable transparency is based upon what may be 
termed "envoys." Important differences exist between 
envoys as described herein and conventional proxies. 
Normally, a prior-art proxy would have to prompt the user 
to enter a destination. To enable such prompting to occur, 40 
different proxy code has conventionally been required for 
each protocol to be proxied. Using programmable 
transparency, the destination is provided to an envoy using 
DNS and/or DDNS as described more fully hereinafter. 
There is therefore no need to always prompt the user for a 45 
destination and no need for the user to always enter a 
destination (although a mode of operation may be provided 
in which the user is prompted for and does enter a 
destination). Instead of a collection of conventional 
protocol-specific proxies, a single generic envoy program 50 
may be used. 

The foregoing discussion has focused on the program- 
mable transparency aspects of the present firewall. Of 
course, a primary function of a firewall is to selectively 
allow and disallow communications. Hence, in the course of 55 
establishing a connection, each virtual host examines a 
configuration table to determine, based on the particulars of 
the requested connection — source, destination, protocol, 
tirae-of-day, port number, etc. — whether such a connection 
will be allowed or disallowed. The process by which con- 00 
nection requests may be scrutinized is described in greater 
detail in U.S. patent application No. 08/595,957 entitled 
FIREWALL SYSTEM FOR PROTECTING NETWORK 
ELEMENTS CONNECTED TO A PUBLIC NETWORK, 
filed Feb. 6, 1996 and incorporated herein by reference. 55 

The firewall may have more than two network interfaces, 
each with its own set of virtual hosts. Referring to FIG. 2, 



for example, the two-sided firewall discussed previously in 
relation to FIG. 1 has been replaced by a three -sided firewall 
205. An accounting department network 203 and a general 
corporate network 209 are connected to the firewall 205 as 
previously described. Also connected to the firewall 205 is 
an engineering department network 202. In general, a fire- 
wall may be N-sided, having N different network connec- 
tions. For each network connection there may be multiple 
virtual hosts which operate in the manner described above. 

Referring again to FIG. 1, configuration of the firewalls 
may be easily accomplished by providing on each firewall a 
special-purpose virtual host that runs "Configurator" 
software -software that provides a Web-based front-end for 
editing configuration files for the other virtual hosts on the 
firewall. The special-purpose virtual host (116, 118, 166 and 
168 in FIG. 1) is preferably configured so as to allow only 
a connection from a specified secure client. The Configu- 
rator software running on the special-purpose virtual host is 
HTML-based in order to provide an authorized system 
administrator a familiar "point-and-click" interface for con- 
figuring the virtual firewalls in as convenient a manner as 
possible using a standard Web browser. Since Web browsers 
are available for virtually every platform, there results a 
generic GUI interface that takes advantage of existing 
technology. 

Referring more particularly to FIG. 3, there is shown a 
firewall 305 having a first set of virtual hosts 305a, a second 
set of virtual hosts 305^ and a DNS/DDNS module 315. 
The virtual hosts do not require and preferably do not have 
access to the disk files of the underlying machine. Instead, 
virtual host processes are spawned from a daemon process 
that reads a master configuration file from disk once at 
start-up. The DNS/DDNS module and the special-purpose 
virtual host 317 do have access to disk files 316 of the 
underlying physical machine. The special-purpose virtual 
host 317, shown in exploded view, runs an HTML-based 
Configurator module 319. Access to the special-purpose 
virtual host is scrutinized in accordance with rules stored on 
disk within configuration files 321. Typically, these rules 
will restrict access to a known secure host, will require at 
least username/password authentication and optionally more 
rigorous authentication. Once access is granted, the Con- 
figurator module will send to the authorized accessing host 
a first HTML page. From this page, the user may navigate 
through different HTML pages using a conventional Web 
browser and may submit information to the special-purpose 
virtual host. The special -purpose virtual host will then use 
this information to update the configuration files 321. 

As will be appreciated more fully from the description of 
FIG. 7 hereinafter, configuration is based on host names, not 
IP addresses. As a result, two mappings are required in order 
to handle a connection request. The requestor needs an IP 
address. To this end, a first mapping maps from the host 
name received in the connection request to the IP address of 
a virtual host. The virtual host, however, needs the host 
name of the host to be connected to. To this end, the second 
mapping maps back to the host name in order to read an 
appropriate configuration file or sub -file based on the host 
name. Thus, when a connection request is received for 
homer, odyssey.com, DNS/DDNS in effect says to the 
requestor "Use virtual host X.X.X.X," where X.X.X.X rep- 
resents an IP address. Then, when the virtual host receives 
the request, it performs a reverse lookup using DNSIDDNS, 
whereupon DNSIDDNS in effect says "Virtual host 
X.X.X.X, use the configuration information for homer. 
odyssey.com." 

Security may be further enhanced, both with respect to 
connections to the special-purpose virtual host for configu- 
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ration purposes and also with respect to connections IP and an existing protocol used for satellite transmissions, 
generally, by using out-of-band user authentication. Out-of- Such protocol translation could be performed transparently 
band authentication uses a channel, a device or any other to the user using a firewall of the type described, 
communications method or medium which is different from Channel processing may also be used to perform virus 
that over which the inter-network communication is to take 5 detection. Blanket virus detection across all platforms is a 
place to transmit or convey an access key. Hence, in the daunting task and may not be practical in most cases. A 
example of FIG. 1, the firewall 155, upon receiving a systcm administrator may, however, configure the system to 
connection request from a particular source, might send a perform specified virus checking for specified hosts, 
message including a key, to a pager 119 of the authorized Encryption and decryption are particularly important to 
user of the source client. The user might be requested to 10 ^ ^ rf ^ Intcn]et and netwQrk commu . 
simply enter the key. In more sophisticated arrangements nications . In me example just described, on the network 
the user may be required to enter the key into a special s between fir£wal , 10S and 10? DES Uon 
hardware token to generate a further key. To gain access, a m ^ ht be ^ in accordance with the configuration file on 
hacker must therefore stea one or more devices (e.g a pager fifewaUs 1Q5 and 107 ^ {n between firewaU 
used to receive the out-of-band transmissions, a hardware is m aQd firewaU 155 ^pfc D£S be Ued Qn the 
token, etc.). Furthermore if a hacker attempts unauthorized netWQrk s between 155 and 15? RS Aencryp. 
access to a machine while the authorized user is in posses- ^ be ^ Micrmtivc{ cncrvption bc pcr . 
sioQ of the pager or other communications device, the user formed betW£en fifewa]ls 105 and 155 and aJso belween 107 
will be alerted by the device unexpectedly receiving a and 155 and also between 157 and 155. Thus the fire wall 157 
message and access key. 20 may then decrvpl me cumu i a iive results of the foregoing 
Other methods may be used to communicate out-of-band multiple encryptions to produce clear text to be passed on to 
so as to deliver the required access key. For example, the host D. Combining encryption capabilities with program- 
firewall 155 might send a fax to the fax number of the user ma bl c transparency as described above allows for the cre- 
of the source machine. Alternatively, identifying info una- ation of virtual private networks- networks in which two 
tion may be sent to the user across the network, after which 25 re mote machines communicate securely through cyberspace 
the user may be required to dial an unpublished number and m the same manner as if the machines were on the same 
enter the identifying information in order to receive a voice i oca i area network. 

message containing the required key. Using DDNS mappings between a host machine and a 

In each of the foregoing methodologies, the key is ^ virtual host are performed dynamically, on-the-fly, as 

connection-specific. That is, once the connection is closed or required. Any of various algorithms may be used to select a 

the attempt to establish a connection is abandoned, if a user virtual host to handle a connection request, including, for 

again attempts to establish a connection, the key that pre- example, a least-recently-used strategy. A time-out period is 

viously applied or would have applied is no longer appli- established such that, if a connection has been closed and is 

cable. 35 not reopened within the time-out period, the virtual host that 

The different virtual hosts may also be configured to was servicing that connection may be re-mapped so as to 

perform channel processing of various sorts as traffic service another connection — i.e., it becomes associated with 

traverses different network segments. Channel processing a different node. In this manner, the number of clients that 

may include encryption, decryption, compression, may be serviced is vastly increased. In particular, instead of 

decompression, image or sound enhancement, content 40 the number of clients that may use a particular network 

filtering, etc. Channel processing is the processing per- interface being limited to the number of virtual hosts on that 

formed on data flowing through a communications channel interface as would be the case using static DNS entries, 

to enhance some attribute of the data, such as security, using DDNS, any number of hosts may use a particular 

reproduction quality, etc. In some instances, channel pro- network interface subject to availability of a virtual host, 

cessing may actually affect the content of the data, for 45 Moreover, instead of making static DNS entries at each level 

example "bleeping" obscenities by replacing them with a of a multi-level network, using DDNS, such entries are 

distinctive character string. Alternatively, channel process- rendered unnecessary. 

ing may intervene to cause a connection to be closed if the DDNS allows for dynamic load sharing among different 
content to be sent on that connection is found to be objec- physical machines. Hence, instead of a single physical 
tionable, 50 machine, one or more of the firewalls in FIG. 1 might be 
Channel processing may be performed using existing realized by two or more physical machines. When perform- 
standard software modules. In the case of encryption and ing mapping, DDNS can take account of the load on the 
decryption, for example, modules for DES, RSA, Cylink, physical machine using conventional techniques. If one 
SET, SSL, and other types of encryption/decryption and physical machine fails, the functions of that machine may 
authentication may be provided on the firewall. In the case 5S still be performed by virtual hosts running on another 
of compression and decompression, standard modules may physical machine. DDNS likewise allows a firewall to be 
include MPEG, JPEG, LZ-based algorithms, etc. Based on scaled-up very easily, by adding one or more additional 
information contained in the configuration files, information physical machines and configuring those machines as addi- 
passing through the firewall may be processed using one or tional virtual hosts having identical configurations as on the 
more such modules depending on the direction of data flow. 60 existing physical machine or machines, but different net- 
Channel processing may be used to perform protocol work addresses, 
translation, for example between IP and some other protocol Referring more particularly to FIG. 4, a load-sharing 
or protocols. One problem that has recently received atten- firewall is realized using a first firewall 407 and a second 
tion is that of using IP for satellite uplink and downlink firewall 408 connected in parallel to a network 420 such as 
transmissions. The relatively long transit times involved in 65 the Internet. Redundancy is provided by conventional DNS 
satellite transmissions can cause problems using IP. One procedures. That is, in DNS, redundant name servers are 
possible solution is to perform protocol translation between required by the DNS specification. If a query addressed to 
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one of the redundant name servers does not receive a 
response, the same query may then be addressed to another 
name server. The same result holds true in FIG. 4. If one of 
the physical firewall machines 407 or 408 is down, the other 
machine enables normal operation to continue, 5 

The configuration of FIG. 4, however, further allows the 
physical firewall machines 407 and 408 to share the aggre- 
gate processing load of current connections. Load sharing 
may be achieved in the following manner. Each of the DNS 
modules of all of the machines receive all DNS queries, 10 
because the machines are connected in parallel. Presumably, 
the DNS module of the machine that is least busy will be the 
first to respond to a query. An ensuing connection request is 
then mapped to a virtual host on the responding least-busy 
machine. 

As the popularity and use of the Internet continues to 15 
grow, there is a concern that all available addresses will be 
used, thereby limiting further expansion. An important result 
of DDNS is that network addresses may be reused on 
network segments between which at least one firewall 
intervenes. More particularly, the addresses which are 20 
employed on opposite sides of a firewall are mutually 
exclusive of one another to avoid routing errors. Referring 
again to the example of FIG. 1, users of the Internet 120 are 
unaware of the addresses employed on a network segment 
110. Certain addresses can be reserved for use behind a 25 
firewall. As shown in FIG. 1, for example, the subset of 
addresses represented as 192.168.X.X can be used on the 
network segment 110. So long as an address is not used on 
both sides of the same firewall, no routing errors will be 
introduced. Therefore, the same set of addresses can be used 30 
on the network segment 160, which is separated from the 
Internet via the firewall 157. On network segment 102 and 
network segment 152, the entire address space may be used, 
less those addresses used on the segments 110, 120 of the 
respective firewalls 105 and 155. Thus by isolating Internet 35 
Service Providers (ISPs) from the Internet at large using 
firewalls of the type described, each ISP could enjoy use of 
almost the full address space of the Internet (232 addresses). 
Exhaustion of network addresses, presently a grave concern 
within the Internet community, is therefore made highly 40 
unlikely. 

Address reuse may be further facilitated by providing 
multiple multi-homing firewall programs running on a 
single physical machine and defining a virtual network 
connection between the two firewall programs using an IP 45 
address within the range 192.1 68.X.X as described previ- 
ously. To the user and to the outside world, this "compound 
firewall" appears as a single multi-homing firewall of the 
type previously described. However, since internally the 
firewall is really two firewalls, the entire Internet address 50 
space may be used on both sides of the firewall, except for 
the addresses 192.1 68.X.X. This configuration is illustrated 
in FIG. 9. 

In essence, the use of firewalls as presently described 
allows the prevailing address model of network communi- 55 
cations to be transformed from one in which IP addresses are 
used for end-to-end transport to one in which host names are 
used for end-to-end transport, with JP addresses being of 
only local significance. The current use of IP addresses for 
end-to-end transport may be referred to as address-based eo 
routing. Using address-based routing, address exhaustion 
becomes a real and pressing concern. The use of host names 
for end-to-end transport as presently described may be 
referred to as name-based routing. Using name-based 
routing, the problem of address exhaustion is eliminated. 65 

The firewall as described also allows for envoys to handle 
connectionless (e.g, UDP-User Datagram Protocol) traffic, 



which has been problematic in the prior art. UDP is an 
example of a connectionless protocol in which packets are 
launched without any end-to-end handshaking. In the case of 
many prior-art firewalls, UDP traffic goes right through the 
firewall unimpeded. The present firewall handles connec- 
tionless traffic using envoys. Rules checking is performed on 
a first data packet to be sent from the first computer to the 
second computer. If the result of this rules checking is to 
allow the first packet to be sent, a time-out limit associated 
with communications between the first computer and the 
second computer via UDP is established, and the first packet 
is sent from one of the virtual hosts to the second computer 
on behalf of the first computer. The re after, for so long as the 
time-out limit has not expired, subsequent packets between 
the first computer and the second computer are checked and 
sent. A long-lived session is therefore created for UDP 
traffic. After the time-out limit has expired, the virtual host 
may be remapped to a different network address to handle a 
different connection. 

The construction of a typical firewall in accordance with 
the present invention will now be described in greater detail. 
Referring to FIG. 5, the firewall is a software package that 
runs on a physical machine 500. One example of a suitable 
machine is a super-minicomputer such as a SparcServer 
machine available from Sun Microsystems of Menlo Park, 
Calif. The firewall may, however, run on any of a wide 
variety of suitable platforms and operating systems. The 
present invention is not dependent upon a particular choice 
of platform and operating system. 

Conventionally, the logical view of the firewall on the 
Internet, an intranet, or some other computer network is the 
same as the physical view of the underlying hardware. A 
single network address has been associated with a single 
network interface. As a result, no mechanism has existed for 
distinguishing between communications received on a 
single network interface and hence directing those commu- 
nications to different logical machines. 

As described previously, this limitation may be overcome 
by recognizing multiple addresses on a single network 
interface, mapping between respective addresses and respec- 
tive virtual hosts, and directing communications to different 
addresses to different virtual hosts. Therefore, the present 
firewall, although it runs on a limited number of physical 
machines, such as a single computer 500, appears on the 
network as a larger number of virtual hosts VH1 through 
VHn. Each virtual host has a separate configuration sub -file 
(sub-database) CI, C2, etc., that may be derived from a 
master configuration file, or database, 510. The configura- 
tion sub-files are text files that may be used to enable or 
disable different functions for each virtual host, specify 
which connections and types of traffic will be allowed and 
which will be denied, etc. Because the configuration files are 
text files, they may be easily modified at any time following 
initial installation. 

Preferably, each virtual host also has its own separate log 
file LI, L2, etc. This feature allows for more precise and 
more effective security monitoring. 

The firewall is capable of servicing many simultaneous 
connections. The number of allowable simultaneous con- 
nections is configurable and may be limited to a predeter- 
mined number, or may be limited not by number but only by 
the load currently experienced by the physical machine. The 
number of maximum allowable connections or the maxi- 
mum allowable machine load may be specified in the 
configuration file. 

As described in greater detail in connection with FIG. 7, 
each configuration file CI, C2, etc., may have an access rules 
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database 513, including an Allow portion 515, a Deny information about that access. Log entries may also be made 

portion 517, or both. Using the access rules database 513, when a connection is opened, as data transport proceeds, etc. 

the firewall selectively allows and denies connections to Referring now to FIG. 8, the logical structure of the 

implement a network security policy. present firewall is shown in greater detail. The main execu- 

Tbe firewall is self-daemoning, meaning that it is not s tion of the firewall is controlled by a daemon. In FIG. 8, the 

subject to the limitations ordinarily imposed by the usual daemon includes elements 801, 803 and 805. Although the 

Internet meta-daemon, INETD, or other operating-system daemon mode of operation is the default mode, the same 

limitations. Referring to FIG. 6, when the firewall is brought code can also be run interactively under the conventional 

up, it first reads in the master configuration file and then INETD daemon. Hence, when the firewall is first brought 

becomes a daemon and waits for connection requests. When 1Q up, command-line processing is performed in block 801 to 

a connection request is received, the firewall spawns a determine the mode of operation (daemon or interactive), 

process, or execution thread, to create a virtual host VHn to which configuration file to read, etc. For purposes of the 

handle that connection request. Each process runs off the present discussion, the daemon mode of operation, which is 

same base code. However, each process will typically use its the default, will be assumed. 

own sub-database from within the master configuration 15 In the daemon mode of operation, a process first reads the 
database to determine the configuration of that particular configuration file before becoming a daemon. By daemon- 
virtual host. Processes are created "on demand" as connec- izing after the configuration file (e.g., the master configu- 
tion requests are received and terminate as service of those ration file) has been read, the configuration file in effect 
connection requests is completed. becomes "hard coded" into the program such that the 
An example of a portion of a master configuration file is 2 p P ro 6 ram no longer has to read it in. The daemon then waits 
shown in FIG. 7. Within the master configuration file to receive a connection request, 

database, different portions of the file form sub -databases for When a connection request is received, the daemon 
different virtual hosts. Each sub-database may specify a root spawns a process to handle the connection request. This 
directory for that particular virtual host. Also as part of the process then uses a piece of code referred to herein as an 
configuration file of each virtual host, an access rules 25 INET Wrapper 810 to check on the local side of the 
database is provided governing access to and through the connection and the remote side of the connection to 
virtual host, i.e., which connections will be allowed and determine, in accordance with the appropriate Allow and 
which connections will be denied. The syntax of the access Deny databases, whether the connection is to be allowed, 
rules database is such as to allow greater flexibility in First the address and name (if possible) are obtained of the 
specifying not only what machines are or are not to be 30 virtual host for which a connection is requested. Once the 
allowed access, but also when such access is allowed to virtual host has been identified by name or at least by IP 
occur and which users are authorized. The access rules address, the master configuration database is scanned to see 
database may have an Allow portion, a Deny portion or both. if a corresponding sub-database exists for that virtual host. 
Processing with respect to the Allow database is performed If so, the sub -database is set as the configuration database of 
prior to processing with respect to the Deny database. 35 the virtual host so that the master configuration database 
Therefore, if there is an entry for a the requested connection need no longer be referred to. If no corresponding sub- 
in the Allow database and no entry for that connection in the database is found, then by default the master configuration 
Deny database, then the connection will be allowed. If there database is used as the configuration database. There may be 
is no Allow database and no entry in the Deny database, then any number of virtual hosts, all independently configurable 
the connection will also be allowed. If there is an entry for 40 and all running on the same physical machine. The deter- 
the requested connection in the Deny database, then the mination of which virtual host the process is to become is 
connection will be denied regardless. Machines may be made in block 803, under the heading of "multi-homing." 
specified by name or by IP address, and may include Once the process has determined which host it is, imme- 
"wildcards," address masks, etc., for example: diately thereafter, the process changes to a user profile in 
MisterPain.com, Vsrmc.com, 192.168.0 *, 192.168.0.0/24, 45 block 805 as defined in the configuration, so as to become 
and so on. an unprivileged user. This step of becoming an unprivileged 

Time restrictions may be included in either the Allow user is a security measure that avoids various known secu- 

rules or the Deny rules. For example, access may be allowed rity hazards. The INET Wrapper is then used to check on the 

from lam to 12 pm; alternatively, access may be denied from remote host, i.e., the host requesting the connection. First, 

12 pm to 1 am. Also, rules may be defined by identifiers, 50 the configuration database is consulted to determine the 

such as RULE1, RULE2, etc., and used elsewhere within the level of access scrutiny that will be applied. (The default 

configuration sub-file of the virtual host to simplify and level of access scrutiny is that no DNS entry is required.) 

alleviate the need for replication. Then, the address and name (if possible) are obtained of the 

All access rules must be satisfied in order to gain access machine requesting the connection, and the appropriate level 
to a virtual host. Depending on the virtual host, however, and 55 of access scrutiny is applied as determined from the con- 
as specified within the configuration sub-file, separate access figuration database. 

scrutiny may be applied based on DNS entries. The access- If the remote host satisfies the required level of access 

ing machine may be required to have a DNS (Domain Name scrutiny insofar as DNS entries are concerned, the INET 

Services) entry. Having a DNS entry lends at least some Wrapper gets the Allow and Deny databases for the virtual 

level of legitimacy to the accessing machine. Furthermore, 60 host. First the Allow database is checked, and if there is an 

the accessing machine may in addition be required to have Allow database but the remote host is not found in it, the 

a reverse DNS entry. Finally, it may be required that the connection is denied. Then the Deny database is checked. If 

forward DNS entry and the reverse DNS entry match each the remote host is found in the Deny database, then the 

other, i.e., that an address mapped to from a given host name connection is denied regardless of the allow database. All 

map back to the same host name. 65 other rules must also be satisfied, regarding time of access, 

If access is granted and a connection is opened, when the etc. If all the rules are satisfied, then the connection is 

connection is later closed, a log entry is made recording allowed. 
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Once the connection has been allowed, the virtual host 
process invokes code 818 that performs protocol-based 
connection processing and, optionally, code 823 that per- 
forms channel processing (encryption, decryption, 
compression, decompression, etc.). When processing is 5 
completed, the connection is closed, if it has not already 
been closed implicitly. 

It will be appreciated by those of ordinary skill in the art 
that the invention can be embodied in other specific forms 
without departing from the spirit or essential character io 
thereof. The presently disclosed embodiments are therefore 
considered in all respects to be illustrative and not restric- 
tive. The scope of the invention is indicated by the appended 
claims rather than the foregoing description, and all changes 
which come within the meaning and range of equivalents 15 
thereof are intended to be embraced therein. 

What is claimed is: 

1. A method of establishing a connection between a first 
computer and a second remote computer along a route from 
the first computer to the second computer through a first 20 
intermediate system having a first interface to a first com- 
puter network and a second interface to a second computer 
network, without requiring a user to know of the interme- 
diate system, the method comprising the steps of: 

configuring the first intermediate system as a plurality of 25 

virtual hosts, each responsive to a network address used 

on one of the first and second computer networks; 
mapping from a name of the second computer to a 

network address of one of the virtual hosts of the first 

intermediate system, said one of the virtual hosts being 30 

associated with the first interface; 
issuing a request for a connection from the first computer 

to the second computer by specifying the name of the 

second computer; 35 
receiving the request at the first interface and routing the 

request to said one of the virtual hosts in accordance 

with said mapping; 
establishing a first bi-directional connection from the first 

computer to said one of the virtual hosts; 4Q 
establishing a second bi-directional connection from said 

one of the virtual hosts to the second computer on 

behalf of the first computer; and 
passing data between the first computer and the second 

computer using the first and second bi-directional con- 45 

nections. 

2. The method of claim 1, wherein configuring comprises 
configuring the first intermediate system as a first plurality 
of virtual hosts, each responsive to a network address used 
on the first computer network, and a second plurality of 50 
virtual hosts, each responsive to a network address used on 
the second computer network. 

3. The method of claim 2, wherein the firewall functions 
as a firewall, disallowing at least some connections based on 
information in a configuration file of said one virtual host. 55 

4. The method of claim 3, wherein one or more additional 
firewalls intervene along said route, each additional firewall 
having a first interface to a first computer network of that 
firewall and a second interface to a second computer net- 
work of that firewall, comprising the further steps of, for 60 
each of the additional firewalls: 

configuring the additional firewall as a first plurality of 
virtual hosts, each responsive to a network address used 
on the first computer network of the additional firewall, 
and a second plurality of virtual hosts, each responsive 65 
to a network address used on the second computer 
network of the additional firewall; 
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mapping from a name of the second computer to a 
network address of one of the virtual hosts of the 
additional firewall, said one of the virtual hosts being 
associated with the first interface; and 

routing the request to said one of the virtual hosts of the 
additional firewall in accordance with said mapping; 

wherein said bidirectional connection on behalf of the first 
computer is established through said one of the virtual 
hosts of each successive firewall along said route. 

5. The method of claim 4, wherein each virtual host of 
each firewall is independently configurable insofar as what 
connections are allowed and disallowed by that virtual host. 

6. The method of claim 4, comprising the further steps of: 
sending data from the first computer to the second com- 
puter; 

at least one of the first computer and said virtual hosts 

encrypting the data; and 
at least one of others of the virtual hosts and said second 

computer decrypting the data. 

7. The method of claim 6, wherein multiple ones of the 
first computer and said virtual hosts encrypt the data, pro- 
ducing multiply-encrypted data. 

8. The method of claim 7, wherein the second computer 
decrypts the multiply -encrypted data. 

9. The method of claim 4, comprising the further steps of, 
for at least one of the firewalls: 

providing multiple physical computers, each configured 
as a plurality of virtual hosts, a first virtual host on one 
of said physical machines being identically configured 
as a second virtual host on another of said physical 
machines; 

wherein said mapping from a name of the second com- 
puter to a network address of one of the virtual hosts of 
the firewall is made dynamically to one of said first 
virtual host and said second virtual host depending on 
availability of said one physical machine and said 
another physical machine. 

10. The method of claim 1, wherein establishing the 
connection to the second computer comprises: 

sending a first information string from the second com- 
puter to a user of the first computer through an out-of- 
band channel; and 

requiring that the second computer receive from the first 
computer a second information string dependent on 
said first information string in order to establish the 
connection. 

11. A firewall for selectively allowing connections to be 
established between pairs of remote computers through the 
firewall without requiring users to know of the firewall, 
comprising: 

a physical computer connected to a first computer net- 
work through a first network interface and a second 
computer network through a second network interface, 
the physical computer being configured as at least a 
first virtual host, responsive to a network address used 
on the first computer network, and at least a second 
virtual host responsive to a network address used on the 
second computer network; 

configuration information for each of said virtual hosts, 
specifying which connections each of said virtual hosts 
will allow; and 

means for mapping from a name of a destination com- 
puter to one of said virtual hosts; and 

connection processing means for, if a requested connec- 
tion from a source computer to said destination com- 
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puter is allowed according to configuration information 
of said one of said virtual hosts, establishing such a 
connection on behalf of the source computer; else, if 
the requested connection is not allowed, refusing the 
connection. 5 

12. The apparatus of claim 11, wherein said physical 
computer is connected to one or more additional computer 
networks through one or more respective network interfaces, 
the physical computer being configured to provide for each 
additional computer network a plurality of virtual hosts, 10 
each responsive to a network address used on the additional 
computer network. 

13. The apparatus of claim 11, further comprising: 

a special-purpose virtual host with which an external host 
communicates to configure the firewall. 55 

14. The apparatus of claim 13, wherein the special- 
purpose virtual host and the external host communicate 
using a hyper-text-based protocol. 

15. A virtual private network allowing for confidential 
communications between a first computer network and a 2 o 
second computer network via a third computer network, 
comprising a first firewall intervening between the first 
computer network and the third computer network and a 
second firewall intervening between the second computer 
network and the third computer network, wherein each of 2 5 
the first firewall and the second firewall comprises: 

a physical computer connected to a first computer net- 
work through a first network interface and a second 
computer network through a second network interface, 
the physical computer being configured as at least a 30 
first virtual host, responsive to a network address used 
on the first computer network, and at least a second 
virtual host responsive to a network address used on the 
second computer network; 

configuration information for each of said virtual hosts, 35 
specifying which connections each of said virtual hosts 
will allow; and 

means for mapping from a name of a destination 
computer to one of said virtual hosts; and 

connection processing means for, if a requested con- 40 
nection from a source computer to said destination 
computer is allowed according to a configuration file 
of said one of said virtual hosts, establishing such a 
connection on behalf of the source computer; else, if 
the requested connection is not allowed, refusing the 45 
connection. 

16. The apparatus of claim 15, wherein said channel 
processing means further comprises an encryption means for 
encryption of data in a direction inbound to said third 
computer network and decryption of data in a direction 50 
outbound from said third computer network. 

17. The apparatus of claim 16, wherein network addresses 
used on the first computer network and network addresses 
used on the second computer network include at least one 
common address. 55 

18. The apparatus of claim 17, wherein most or all of the 
network addresses used on the first computer network and 
network addresses used on the second computer network are 
common to both the first and second computer networks. 

19. A method of providing communications between a 60 
communications process running on a first computer and a 
communications process running on a second remote com- 
puter along a route from the first computer to the second 
computer through an intervening firewall having a first 
interface to a first computer network and a second interface 65 
to a second computer network, without requiring a user to 
know of the intervening firewall, the communications pro- 



cess running on both the first computer and the second 
computer being based on a connection-less datagram 
protocol, the method comprising the steps of: 

configuring the firewall as a plurality of virtual hosts, each 
responsive to a network address used on one of the first 
and second computer networks; 
mapping from a name of the second computer to a 
network address of one of the virtual hosts of the 
firewall; 

issuing a request from the first computer to the second 
computer by specifying the name of the second com- 
puter; 

routing the request within a first data packet to said one of 
the virtual hosts in accordance with said mapping; 

performing rules checking on said first data packet to be 
sent from the first computer to the second computer, 
including checking a destination port number of the 
first data packet; 

if the result of said rules checking is to allow said first 
packet to be sent, establishing a lime -out limit associ- 
ated with communications between the first computer 
and the second computer via said protocol, and sending 
said first packet from said one of the virtual hosts to the 
second computer on behalf of the first computer; 

for so long as said time-out limit has not expired, per- 
forming rules checking on and sending subsequent 
packets, if allowable, between the first computer and 
the second computer; and 

when said time-out limit expires, freeing said one of the 
virtual hosts for mapping to a different network 
address. 

20. A load-sharing firewall, comprising: 

a plurality of physical computers, each connected to a first 
computer network through a first network interface and 
a second computer network through a second network 
interface, the physical computers each being configured 
as a first plurality of virtual hosts, each responsive to a 
network address used on the said first computer 
network, and a second plurality of virtual hosts each 
responsive to a network address used on the second 
computer network; 

configuration information for each of said virtual hosts, 
specifying which connections each of said virtual hosts 
will allow; and 

means for mapping from a name of a destination com- 
puter to one of said virtual hosts based on the avail- 
ability of a corresponding physical computer; and 

connection processing means for, if a requested connec- 
tion from a source computer to said destination com- 
puter is allowed according to a configuration file of said 
one of said virtual hosts, establishing such a connection 
on behalf of the source computer; else, if the requested 
connection is not allowed, refusing the connection. 

21. A computer-readable medium containing computer 
instructions executable by a computer, the instructions com- 
prising: 

instructions for configuring a first intermediate system 
connected to a first interface of a first computer net- 
work and a second interface on a second computer 
network as a plurality of virtual hosts, each responsive 
to a network address used on one of the first and second 
computer networks; 
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instructions for mapping from a name of a second com- 
puter on the second computer network to a network 
address of one of the virtual hosts of the first interme- 
diate system, said one of the virtual hosts being asso- 
ciated with the first interface; 

instructions for issuing a request for a connection from a 
first computer on the first computer network the second 
computer by specifying the name of the second com- 
puter; 

instructions for receiving the request at the first interface 
and routing the request to said one of the virtual hosts 
in accordance with said mapping; 
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instructions for establishing a first bi-directional connec- 
tion from the first computer to said one of the virtual 
hosts; 

instructions for establishing a second bi-direcitonal con- 
nection from said one of the virtual host, to the second 
computer on behalf of the first computer; and 

instructions for passing data between the first computer 
and the second computer using the first and second 
bi-directional connections. 
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